Binary Decision Diagrams and Symbolic Model Checking

1
Binary Decision DiagramsandSymbolic Model
Checking
Randy Bryant CMU Ed Clarke CMU Ken McMillan
Cadence Allen Emerson U Texas
http//www.cs.cmu.edu/bryant
2
Binary Decision Diagrams

• Restricted Form of Branching Program
• Graph representation of Boolean function
• Canonical form
• Simple algorithms to construct manipulate
• Application Niche
• Problems expressed as Quantified Boolean Formulas
• A lot of interesting problems are in PSPACE
• Symbolic Model Checking
• Prove properties about large-scale, finite-state
  system
• Successfully used to verify hardware systems

3
Boolean Function as Language
Truth Table
Language
DFA
011, 101, 111

• View n-variable Boolean function as language ?
  0,1n
• Reduced DFA is canonical representation

4
From DFA to OBDD

• Canonical representation of Boolean function
• Two functions equivalent if and only if graphs
  isomorphic
• Desirable property simplest form is canonical.

5
Representing Circuit Functions

• Functions
• All outputs of 4-bit adder
• Functions of data inputs

• Shared Representation
• Graph with multiple roots
• 31 nodes for 4-bit adder
• 571 nodes for 64-bit adder
• Linear growth

6
Effect of Variable Ordering
Good Ordering
Bad Ordering
7
Sample Function Classes
Function Class Best Worst Ordering
Sensitivity ALU (Add/Sub) linear exponential High
Symmetric linear quadratic None Multiplication exp
onential exponential Low

• General Experience
• Many tasks have reasonable OBDD representations
• Algorithms remain practical for up to 500,000
  node OBDDs
• Heuristic ordering methods generally satisfactory

8
Symbolic Manipulation with OBDDs

• Strategy
• Represent data as set of OBDDs
• Identical variable orderings
• Express solution method as sequence of symbolic
  operations
• Sequence of constructor query operations
• Similar style to on-line algorithm
• Implement each operation by OBDD manipulation
• Do all the work in the constructor operations
• Key Algorithmic Properties
• Arguments are OBDDs with identical variable
  orderings
• Result is OBDD with same ordering
• Each step polynomial complexity

9
If-Then-Else Operation

• Concept
• Basic technique for building OBDD from logic
  network or formula.

• Arguments I, T, E
• Functions over variables X
• Represented as OBDDs
• Result
• OBDD representing composite function
• (I ?T) ? (?I ? E)

10
If-Then-Else Execution Example
Argument I
Argument T
Argument E

• Optimizations
• Dynamic programming
• Early termination rules

11
If-Then-Else Result Generation
Recursive Calls
Without Reduction

• Recursive calling structure implicitly defines
  unreduced BDD
• Apply reduction rules bottom-up as return from
  recursive calls

12
Restriction Operation

• Concept
• Effect of setting function argument xi to
  constant k (0 or 1).
• Also called Cofactor operation (UCB)

13
Restriction Execution Example
Argument F
14
Derived Algebraic Operations

• Other operations can be expressed in terms of
  If-Then-Else

If-Then-Else(F, G, 0)
And(F, G)
If-Then-Else(F, 1, G)
Or(F, G)
15
Generating OBDD from Network
Task Represent output functions of gate network
as OBDDs.
Network
Evaluation

• A ? new_var ("a")
• B ? new_var ("b")
• C ? new_var ("c")
• T1 ? And (A, 0, B)
• T2 ? And (B, C)
• Out ? Or (T1, T2)

Resulting Graphs
16
Functional Composition

• Create new function by composing functions F  and
  G.
• Useful for composing hierarchical modules.

17
Variable Quantification

F 
x

F 


i

• Eliminate dependency on some argument through
  quantification
• Combine with AND for universal quantification.

18
Finite State System Analysis

• Systems Represented as Finite State Machines
• Sequential circuits
• Communication protocols
• Synchronization programs
• Analysis Tasks
• State reachability
• State machine comparison
• Temporal logic model checking
• Traditional Methods Impractical for Large
  Machines
• Polynomial in number of states
• Number of states exponential in number of state
  variables.
• Example single 32-bit register has 4,294,967,296
  states!

19
Temporal Logic Model Checking

• Verify Reactive Systems
• Construct state machine representation of
  reactive system
• Nondeterminism expresses range of possible
  behaviors
• Product of component state machines
• Express desired behavior as formula in temporal
  logic
• Determine whether or not property holds

Traffic Light Controller Design
Model Checker
True
False Counterexample
It is never possible to have a green light for
both N-S and E-W.
20
Characteristic Functions

• Concept
• A ? 0,1n
• Set of bit vectors of length n
• Represent set A as Boolean function A of n
  variables
• X ? A if and only if A(X ) 1

Set Operations
21
Symbolic FSM Representation
Symbolic Representation
Nondeterministic FSM
o
,
o
encoded
1
2
old state
n
,
n
encoded
1
2
new state

• Represent set of transitions as function ?(Old,
  New)
• Yields 1 if can have transition from state Old to
  state New
• Represent as Boolean function
• Over variables encoding states

22
Reachability Analysis

• Task
• Compute set of states reachable from initial
  state Q0
• Represent as Boolean function R(S)
• Never enumerate states explicitly

Given
Compute
d
0/1
Initial
23
Breadth-First Reachability Analysis

• Ri set of states that can be reached in i
  transitions
• Reach fixed point when Rn Rn1
• Guaranteed since finite state

24
Iterative Computation

• Ri 1 set of states that can be reached i 1
  transitions
• Either in Ri
• or single transition away from some element of Ri

25
Symbolic FSM Analysis Example

• K. McMillan, E. Clarke (CMU) J. Schwalbe
  (Encore Computer)
• Encore Gigamax Cache System
• Distributed memory multiprocessor
• Cache system to improve access time
• Complex hardware and synchronization protocol.
• Verification
• Create simplified finite state model of system
  (109 states!)
• Verify properties about set of reachable states
• Bug Detected
• Sequence of 13 bus events leading to deadlock
• With random simulations, would require ?2 years
  to generate failing case.
• In real system, would yield MTBF lt 1 day.

26
System Modeling Example
Gigamax Memory System

• Simplifying Abstractions
• Single word cache
• Single bit/word
• Abstract other clusters
• Imprecise timing

Arbitrary reads writes
27
Commercial Applications of Symbolic Model Checking

• Several Commercial Tools
• Difficult training and customer support
• Most Large Companies Have In-House Versions
• IBM, Lucent, Intel, Motorola, SGI, Fujitsu,
  Siemens,
• Many based on McMillans SMV program
• Requires Sophistication
• Beyond that of mainstream designers

28
Application Challenge
Challenging Systems to Design
System Size
Model checking Capacity
Degree of Concurrency

• Cannot Apply Directly to Full Scale Design
• Verify smaller subsystems
• Verify abstracted versions of full system
• Must understand system tool to do effectively

29
Real World Issues

• Still Too Volatile
• Fail by running out of space
• Useless once exceed physical memory capacity
• Ongoing Research to Improve Memory Performance
• Dynamic variable ordering
• Exploiting modularity of system model
• Partitioned transition relations
• Exploiting parallelism
• Map onto multiple machines
• Difficult program for parallel computation
• Dynamic, irregular data structures

30
Dynamic Variable Reordering

• Richard Rudell, Synopsys
• Periodically Attempt to Improve Ordering for All
  BDDs
• Part of garbage collection
• Move each variable through ordering to find its
  best location
• Has Proved Very Successful
• Time consuming but effective
• Especially for sequential circuit analysis

31
Dynamic Reordering By Sifting

• Choose candidate variable
• Try all positions in variable ordering
• Repeatedly swap with adjacent variable
• Move to best position found

 
32
Swapping Adjacent Variables

• Localized Effect
• Add / delete / alter only nodes labeled by
  swapping variables
• Do not change any incoming pointers

33
Tuning of BDD Packages

• Cooperative Effort
• Bwolen Yang, in cooperation with researchers from
  Colorado, Synopsys, CMU, and T.U. Eindhoven
• Measure improve performance of BDDs for
  symbolic model checking
• Methodology
• Generated set of benchmark traces
• Run 6 different packages on same machine
• Compare results and share findings
• Cooperative competition

34
Effect of Optimizations

• Compare pre- vs. post-optimized results for 96
  runs
• 6 different BDD packages
• 16 benchmark traces each
• Limit each run to maximum of 8 CPU hours and 900
  MB
• Measure speedup Told / Tnew or
• New Failed before but now succeeds
• Fail Fail both times
• Bad Succeeded before, but now fails

35
Optimization Results Summary
36
Whats Good about OBDDs

• Powerful Operations
• Creating, manipulating, testing
• Each step polynomial complexity
• Graceful degradation
• Generally Stay Small Enough
• Especially for digital circuit applications
• Given good choice of variable ordering
• Weak Competition
• No other method comes close in overall strength
• Especially with quantification operations

37
Thoughts on Algorithms Research

• Need to be Willing to Attack Intractable Problems
• Many real-world problems NP-hard
• No approximations for verification
• Who Works on These?
• Mostly people in application domain
• Most work on BDDs in computer-aided design
  conferences
• Not by people with greatest talent in algorithms
• No papers in STOC/FOCS/SODA
• Probably many ways they could improve things
• Fundamental dilemma
• Can only make weak formal statements about
  efficiency
• Utility demonstrated empirically